Legal claims defining the scope of protection, as filed with the USPTO.
1. A computerized method comprising: receiving event data associated with network activities of a plurality of entities that interact with a computer network; identifying instances of potential network compromise automatically determined from the event data, wherein the instances include threats and anomalies, the instances are associated with entities that participated in the network activities from which the instances were determined, and each threat is an automated determination based on one or more of the anomalies; automatically determining a score for each of the plurality of entities, wherein each said score indicates a risk level based on the number and/or type of identified instances of potential network compromise associated with the entity; and causing display, in a graphical user interface, of a threat view that includes an indication of a determined score, wherein: the threat view identifies a particular threat and one or more entities, of the plurality of entities, that participated in network activities that triggered determination of the particular threat, each entity of the one or more entities identified in the threat view is displayed in association with a score for that entity and a first link, the first link configured such that activation of the first link causes the graphical user interface to generate a second view that provides additional information about that entity, the additional information about that entity including one or more detected anomalies associated with that entity and one or more detected threats associated with that entity; and the threat view displays a plurality of types of anomalies associated with the particular threat and, for each displayed type of anomaly associated with the particular threat, a number of anomalies of that type detected for the particular threat, the threat view further including a second link configured such that activation of the second link causes the graphical user interface to generate a third view that provides additional information about one or more anomalies detected for the particular threat.
2. The method of claim 1 , wherein the second view includes the number of anomalies associated with the entity.
3. The method of claim 1 , wherein the second view includes, the number of threats associated with the entity and the number of anomalies associated with the entity.
4. The method of claim 1 , wherein the graphical user interface provides a prompt for filtering the threat view according to score, and upon selection by a user of a score via the graphical user interface, filtering the threat view to include only the entities associated with scores corresponding to the user's selection.
5. The method of claim 1 , wherein the graphical user interface comprises a listing of users in a computer network of an organization including the department in which the user is assigned in the organization.
6. The method of claim 1 , wherein the graphical user interface comprises a listing of network users in a computer network of an organization and further includes, for each network user, the date of the most recent automated determination regarding the network user's involvement in an instance of potential network compromise.
7. The method of claim 1 , wherein the graphical user interface comprises a listing of devices communicating on the network and associated with an instance of potential network compromise, and further wherein the listing includes, for each device, the date of the most recent automated determination regarding the device's involvement in the instance of potential network compromise.
8. The method of claim 1 , wherein the graphical user interface further includes, for each entity, the date of the most recent update regarding the entity's participation in an instance of potential network compromise, and wherein the graphical user interface provides a prompt for filtering the view according to date, and upon selection by a user of a temporal range via the graphical user interface, filtering the view to include only the entities associated with a date of most recent update falling within the selected temporal range.
9. The method of claim 1 , wherein the threat view comprises a listing of applications that have run on the network and are associated with an instance of network compromise, and, upon selection of an entry in the listing, providing a fourth view illustrating the relationship between the application and an identified instance of potential network compromise associated with the application.
10. The method of claim 1 , further comprising: upon selection by a user of an entity in the threat view, generating a view of the entity providing additional information, including a trends graph illustrating any changes in the score associated with the entity over a period of time.
11. The method of claim 1 , wherein the second view includes an illustration of the relationship between the entity and an associated instance of potential network compromise.
12. The method of claim 1 , wherein the second view includes an illustration of how recent network activities associated with the entity have varied from a baseline of activity.
13. The method of claim 1 , further comprising: upon selection by a user of an entity in the threat view via the graphical user interface, generating a view of the entity including a prompt for a user to tag the selected entity for future tracking; and upon receiving a selection by a user of a tag, associating the tag with the selected entity such that the tag is included in the additional data provided in response to subsequent requests to generate the view of the selected entity.
14. The method of claim 1 , further comprising: upon receiving a selection by a user, via the graphical user interface, of a link in the second view, generating a view listing instances of potential network compromise that are associated with the entity.
15. The method of claim 1 , further comprising: upon receiving a selection by a user, via the graphical user interface, of a link in the second view of the entity, generating a view listing instances of potential network compromise that are associated with the entity, wherein each listed instance includes a link to a view of that instance.
16. A non-transitory, computer-readable storage medium storing instructions, an execution of which in a computer system causes the computer system to perform operations comprising: receiving event data associated with network activities of a plurality of entities that interact with a computer network; identifying instances of potential network compromise automatically determined from the event data, wherein the instances include threats and anomalies, the identified instances are associated with entities that participated in the network activities from which the instances were determined, and each threat is an automated determination based on one or more of the anomalies; automatically determining a score for each of the plurality of entities, wherein each said score indicates a risk level based on the number and/or type of identified instances of potential network compromise associated with the entity; and causing display, in a graphical user interface, of a threat view that includes an indication of a determined score, wherein: the threat view identifies a particular threat and one or more entities, of the plurality of entities, that participated in network activities that triggered determination of the particular threat, each entity of the one or more entities identified in the threat view is displayed in association with a score for that entity and a first link, the first link configured such that activation of the first link causes the graphical user interface to generate a second view that provides additional information about that entity, the additional information about that entity including one or more detected anomalies associated with that entity and one or more detected threats associated with that entity; and the threat view displays a plurality of types of anomalies associated with the particular threat and, for each displayed type of anomaly associated with the particular threat, a number of anomalies of that type detected for the particular threat, the threat view further including a second link configured such that activation of the second link causes the graphical user interface to generate a third view that provides additional information about one or more anomalies detected for the particular threat.
17. The computer-readable storage medium of claim 16 , wherein the second view includes, for the corresponding entity, the number of anomalies associated with the entity.
18. The computer-readable storage medium of claim 16 , wherein the second view includes, for the corresponding entity, the number of threats associated with the entity and the number of anomalies associated with the entity.
19. The computer-readable storage medium of claim 16 , wherein the graphical user interface provides a prompt for filtering the threat view according to score, and upon selection by a user of a score via the graphical user interface, filtering the view to include only the entities associated with scores corresponding to the user's selection.
20. The computer-readable storage medium of claim 16 , wherein the graphical user interface comprises a listing of users in a computer network of an organization including, if known, the department in which the user is assigned in the organization.
21. The computer-readable storage medium of claim 16 , wherein the graphical user interface comprises a listing of network users in a computer network of an organization, and further includes, for each network user, the date of the most recent automated determination regarding the network user's participation in an instance of potential network compromise.
22. A computer system comprising: computer memory for storing machine data; and a processor for: receiving event data associated with network activities of a plurality of entities that interact with a computer network; identifying instances of potential network compromise automatically determined from the event data, wherein the instances include threats and anomalies, the identified instances are associated with entities that participated in the network activities from which the instances were determined, and each threat is an automated determination based on one or more of the anomalies; automatically determining a score for each of the plurality of entities, wherein each said score indicates a risk level based on the number and/or type of identified instances of potential network compromise associated with the entity; and causing display, in a graphical user interface, of a threat view that includes an indication of a determined score, wherein: the threat view identifies a particular threat and one or more entities, of the plurality of entities, that participated in network activities that triggered determination of the particular threat, each entity of the one or more entities identified in the threat view is displayed in association with a score for that entity and a first link, the first link configured such that activation of the first link causes the graphical user interface to generate a second view that provides additional information about that entity, the additional information about that entity including one or more detected anomalies associated with that entity and one or more detected threats associated with that entity; and the threat view displays a plurality of types of anomalies associated with the particular threat and, for each displayed type of anomaly threat and, for each displayed type of anomaly associated with the particular threat, a number of anomalies detected for that type detected for the particular threat, the threat view further including a second link configured such that activation of the second link causes the graphical user interface to generate a third view that provides additional information about one or more anomalies detected for the particular threat.
23. The computer system of claim 22 , wherein the second view lists, for the corresponding entity, the number of anomalies associated with the entity.
24. The computer system of claim 22 , wherein the second view includes, for the corresponding entity, the number of threats associated with the entity and the number of anomalies associated with the entity.
Unknown
April 20, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.